git.puffer.fish Git - mirror/frr.git/commit

author	Paul Jakma <paul.jakma@sun.com>
	Tue, 10 Apr 2007 19:36:48 +0000 (19:36 +0000)
committer	Paul Jakma <paul.jakma@sun.com>
	Tue, 10 Apr 2007 19:36:48 +0000 (19:36 +0000)
commit	6e4ab12f1504caa95edc7702a82f118d0de15a0a
tree	50b6784229f92d404e5d6509848c135395743f2f	tree \| snapshot
parent	16d2e2410d6e8cf53fac05b956f3e7ee53bc7234	commit \| diff

[bgpd] Bug #354: Take care to keep reads of MP_(UN)REACH_NLRI in bounds

2007-04-08 Paul Jakma <paul.jakma@sun.com>

* bgp_attr.c: (general) Bug #354: parsing of MP_REACH_NLRI and
  MP_UNREACH_NLRI does not take sufficient care to ensure reads
  from stream buffer stay in-bounds. Hence bgpd may attempt to read
  beyond end of stream, if given a crafted packet. As it uses the
  stream access methods to do so, this will typically result in
  assert() being hit in stream.c. Where code is compiled without
  assert() enabled, result is unknown.
  (struct message attr_str) should be static.
  (bgp_mp_reach_parse) Carefully check length remaining in stream
  against amount desired to read from stream, prior to each read,
  particularly where lengths are conditional on data obtained from
  stream - using STREAM_READABLE.
  Remove code to parse SNPA-number, it's a defunct field and changed
  to a fixed size in latest BGP MP update RFC - log warning if
  SNPA-number is not 0.
  (bgp_mp_unreach_parse) Check withdraw_length carefully against
  STREAM_READABLE.
  (bgp_attr_parse) If attribute-parser function returns error, log
  warning.
  Log attribute type on mismatch.

bgpd/ChangeLog		diff \| blob \| history
bgpd/bgp_attr.c		diff \| blob \| history